They can be MITM'd by anyone on a hop between you and the server, and unless they're an authenticode-signed exe they could also have been subtly tampered with at rest
Mind you, HTTPS doesn't mean downloads are safe. Not remotely so. HTTP just means they're way less safe, and if you're on a HTTPS website it definitely should not be serving downloads over HTTP
Mind you, HTTPS doesn't mean downloads are safe. Not remotely so. HTTP just means they're way less safe, and if you're on a HTTPS website it definitely should not be serving downloads over HTTP